SANS ISC InfoSec Forums

Facebook is kind of training its user base that it is OK to click on links in emails, as long as they look like pretty buttons. When there is a friend request, or a comment has been added, in the interest of making sure that you get the message it is emailed. It was probably only a matter of time before Facebook like SPAM/PHISH email started arriving.

When I received the following, I must confess I nearly clicked it automatically, before I noticed the actual link.

When I did click the link, I got a second surprise. To be honest I was expecting a facebook login page, failing that I was expecting malware, but what I ended up with was this. Plain old SPAM

Not terribly exciting I agree. What caught my eye however was that the SPAM email looked darn close to the real thing, the emails Facebook users get every day.

If you have a user base that uses Facebook, you may wish to bring this to their attention. At the moment it is only SPAM, but it doesn't have to be.

If you are into blocking, this particular SPAM run ends up on 115.145.129.35 (South Korea), loads medicalaf.ru (In China) which redirects to cvecpills.com (In Romania). Not a bad method to get some distance between the emil and the eventual landing page. Allows them to switch targets easily.

The culprit behind this is probably the new kid on the block.. The original Storm, then Waledac, now ??who knows?? has been resurrected and is no doubt pushing the classic pharmacy SPAM to a screen near you, while stealing email login info at the same time to further itself. This time the bot means business. Has anyone detected how this critter connects to C+C?

recently I received several phishing mails which pointed to an empty page (accessed with curl). The only content was a refresh statement to the same page. Only when I sent a referrer indicating that I came from the same I saw the whole beauty. Seems that content was only delivered if the referrer pointed to it self. Nice way to block automatic malware pullers. Haven't seen that discussed so I thought it might be interesting.